SAP POS A Good Way To Hack Retail 1

GET OF THE MONEY:
Hacking POS and POP SYSTEMS

By Dmitry Chastuhin
Dmitry Chastuhin 2
Yet another security

researcher: @_chipik
Head of security
consulting at ERPScan
Know 3 Spanish words:

hola, gracias, sin hogar
3
Agenda 4
5
Conclusion
Introduction to POS 6
James Jacob Ritty The first cash Register

9
The previous work

The previous work 10
Lucas Zaichkowsky
“Point of Sale System Architecture and Security”
11
Magstripe readers
AND
Unencrypted data
EMV chip 12
Chip contains magstripe

“equivalent” data
unencrypted
Ross Anderson
“How Smartcard Payment Systems Fail”
The No-PIN attack 14
 Insert a device between

card and terminal
 Make card thinks: signature
 Make terminal thinks: pin
Nils and Jon Butler

“PinPadPwn” “Mission mPOSsible”
A “Chippy Pin” game on the terminal
16
Peter Fillmore
“Crash and Pay: Owning and Cloning Payment Devices”
Stawomir Jasek
“Hacking challenge: steal a car!”
MITM POS mobile 19
20
Why did we choose POS

software for our research?
21
START HERE
Consumers POS Hardware POS Software POS Backend
Issuer
Payment Service
Provider (PSP)
Credit card
brand network Acquirers
22
Issuer
Payment Service
Provider (PSP)
Credit card
23
Issuer
Payment Service
Provider (PSP)
Credit card
24
Issuer
Payment Service
Provider (PSP)
Credit card
25
Issuer
Payment Service
Provider (PSP)
Credit card
26
Business day
Business day. The beginning 27
Terms Terms
Store Server
Open Open Get
Manager Manager
Login
Cashiers
Business day 28
Business day. End of Day 29
Terms Terms
Server Store
Close Send Close
Manager Manager
Logout
Cashiers
30
How did we choose POS system?

31
33
SAP Point of Sale

WHOIS SAP POS
34
Old name: Triversity Transactionware GM (2005)
Platform: Windows 32-bit and 64-bit
Language: C++
Actual version: SAP POS 2.3 SP 11 build 1171

Architecture
35
POS Client Store Server Head Office
Store
Database
Manager
POS Client
Xpress POS Store

Server Configurator
POS Client 36
Map
POS Client 37
Map
POS Client 38
Map
POS Client 39
Map
POS Client 40
Map
POS Client 41
Map
Xpress Server 42
Map
Xpress Server 43
Map
Xpress Server 44
Map
Store Manager 45
Map
Store Configurator 46
Map
Store Configurator 47
Map
48
SAP POS: Going Deeper

49
POS Clients Store Server Head Office
Store
Database Manager
POS Client
Xpress POS Store
Server Configurator
PART I
50
Store
Database Manager
POS Client
Xpress POS PART II Store
Server Configurator
51
Store
Database Manager
POS Client
Xpress POS Store
Server Configurator
PART III
How does it work? Part 1
52
Go from the back.

Store Server Head Office
SMB
Xpress POS Store

Server Configurator
/ SAP/Retail Systems / SAP/Retail Systems/
/Xpress Server/parm/ Store Configurator/
data/parm/
Xpress Server 53
File Architecture
…\Xpress Server\ dnload FRENCH

document GERMAN
email ITALIAN
logs SPANISH
Parm cnummask.cmk
rdata rcptlogo.rcp
sdata cashier.clg
txnsave LAYOUT.UI0
… …
How does it work? Part 2 54
Monitoring is not always good

Store Server Store Server
Port: 2202
Xpress POS
Server
Store
Manager
Port: [1433,1521,2638…]
Database
Handmade… 60
Help response 61
999 *** XPRESS SERVER MOST COMMON COMMAND HELP ***

999 MONXPS [ON|OFF]
999 [SHOWTERM|TERMINAL-STATUS] [ALL|Term#]
999 [MONTERM|MONITOR-TERMINAL] [ALL|XPS|Term#]
[START|STOP|ON|OFF]
999 OPEN-TERMINAL [ALL|Term#]
999 OPEN-STORE [TODAY|NumberOfSecsSinceJan1-1970]
999 CLOSE-TERMINAL [ALL|Term#] [FORCE|NO-FORCE|ABORT]
999 TERMINAL-BALANCE [Term#] [BAL|UNBAL]
999 CASHIER-BALANCE [Cashier#] [1|2|3] [ShortOver Amount]
[netTenderTotal] <-- 1=BALANCED 2=UNBALANCED 3=PREVIOUS
BALANCE NOW OUT OF DATE
62
999 UPDATE-CASHIER [Cashier#]

999 DELETE-CASHIER [Cashier#]
999 END-OF-DAY [FORCE|NO-FORCE|ABORT]
999 STORE-TOTALS [CLOSE-DAY|CLOSE-WEEK|CLOSE-PERIOD|DONE-
END-OF-DAY|...]
999 STORE-TOTALS CONSOL-DAY [RTOT|SRTOT|CTOT|SPROD|...]
999 COMMS-RESET [1|2|3] <-- 1=ALL 2=REMOTE 3=MODEMS
999 FLUSH-PLUCACHE
999 TRIGGER-NEWPROMOS
999 SHUTDOWN
999 . <-- Use to repeat previous command
63
DEMO 1
64
BACKDOORS
BACKDOORS EVERYWHERE
65
66
Methods
67
Public
23% Private
77%
68
Request Response
Correct password and login:
APM-VALIDATE-PASSWD 0 1119 1 1337;1234567a Password and Login are OK
1119 0 1 1 Disp=Authenticated;APMCode=0;
Correct login:
APM-VALIDATE-PASSWD 0 1119 1 1337;12345 Wrong Password
Incorrect login:
APM-VALIDATE-PASSWD 0 1119 1 1337;12345 Wrong Login
69
Reset password
APM-RESET-PASSWD 0 1119 1 1337;CHANGEDPWD1
Update Database rows

UPDATE-CASHIER 1337
170 CASHIER-UPDATED 1337
70
FILE-FIND [file_path]
FILE-FIND C:\1234.txt
168 FILE-FIND 32 34680 19073 7 1234.txt
FILE-OPEN [file-path] [mode]

FILE-OPEN C:\windows\win.ini
160 FILE-OPEN 0
FILE-READ [file_id] [buff_size]

FILE-READ 0 120
EGVideo m4v=MPEGVideo mod=MPEGVideo …
71
DEMO 2
How does it work? Part 3 72
POS Clients Store Server
Xpress POS
POS Client
Port: 2200 Server
73
{ Type Len } Where? , What? , End ;

Message standard 74
MT_FILE_BAD = 42h B
MT_FILE_END = 43h C
MT_DATAGRAM = 44h D
MT_FILE_REQ_ERR = 45h E
MT_FILE_DATA = 46h F
MT_FILE_GOOD = 47h G
MT_REQ_DIR = 49h I
MT_FILE_REQ_SEND = 52h R
MT_FILE_SEND = 53h S
MT_UNTYPED = 55h U
MT_SEND_CANCEL = 58h X
MT_RESP_DIR = 69h i
MT_RECV_CANCEL = 78h x
75
Attacker Xpress Server

S Len Where? What? Size xps.exe
76

77

F Size DATA
78

F Size DATA
79

F Size DATA
C
80

F Size DATA
C
81

F Size DATA
Write file
82

F Size DATA
Write file
G
83

F Size DATA
Write file
G G
84
DEMO 3
85
How to buy MacBook for $3

86
POS Client
Xpress Server
POS client
87
POS Client
Xpress Server
POS client
88
POS Client
Xpress Server
POS client
89
90
91
92
93
94
Xpress Server
POS client
95
Step by step we`ll get success

4 facts about SAP POS 96
can help us make a trick
1. Store configurator creates config files and Xpress Server will apply
them, if it finds a ”newparm.trg” file in the special directory.
2. We can write any data we want in any file on Xpress Server using port
2200.
3. POS Clients (Terminals) update their parameters after opening.
4. We can close and open POS Terminals using telnet and port 2202.
100
PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
Database
101
1 Evil Configuration files
PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
Database
103

2 Trigger file ”newparm.trg”
PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
Database
100

PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
3 Apply new settings
Database
101

PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202

4 Write some of them in database
Database
102

PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
5 Close Terminal

Database
107
1 Evil Configuration files 6 Close Terminal

PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
5 Close Terminal

Database
104

PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
5 Close Terminal
7 Open Terminal
Database
109

2 Trigger file ”newparm.trg” 8 Open Terminal
PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
5 Close Terminal
7 Open Terminal
Database
110

PORT 2200
Xpress 9 Get evil Configuration files POS
Attacker
Server Client
PORT 2202
5 Close Terminal
7 Open Terminal
Database
111

PORT 2200
Xpress 9 Get evil Configuration files POS
Attacker
Server Client
PORT 2202
5 Close Terminal
7 Open Terminal
Database
108
Any additional features?

109
110
Xpress Server
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
Attacker
Listening PORT
111
1 “XPSPARM.bat” Xpress Server
PORT 2200
Attacker
Listening PORT
112
PORT 2200
2 “newparm.trg”
Attacker
Listening PORT
113
PORT 2200
2 “newparm.trg”
3 Found “newparm.trg”
Attacker
Listening PORT
114
PORT 2200
2 “newparm.trg”
4 Delete “newparm.trg”
Attacker
Listening PORT
115
PORT 2200
2 “newparm.trg”
Attacker
5 Search for “XPSPARM.bat”
Listening PORT
116
PORT 2200
2 “newparm.trg”
Attacker
6 Execute “XPSPARM.bat”
Listening PORT
117
PORT 2200
2 “newparm.trg”
Attacker
Listening PORT
7 Make shell back connect

118
PORT 2200
2 “newparm.trg”
Attacker
Listening PORT
8 Any command
119
PORT 2200
2 “newparm.trg”
Attacker
Listening PORT
8 Any command
9 Execute command
120
DEMO 4
121
Fixes
122
Security note was released on the July Patch Day
Note # Title Priority CVSS

Missing Authentication checks in SAP Point of
2476601 High 8.1
Sale (POS) Retail Xpress Server
11th of July 2017

123
… A new setting, BACKOFFICEIPADDRESS is added. The user can use it

to specify the IP address of the system that hosts the Back Office
Applications. It is used only if the Back Office Applications are not
hosted at the same system as the Xpress Server...
from SAP NOTE #2476601, July 2017

124
125
126
Patching Better late than never

127
128
One more patch?

129
Another security note was released
Note # Title Priority CVSS

Missing Authentication check in SAP Point of
2520064 High 8.1
Sale (POS) Retail Xpress Server
18th of August 2017

130
Need more gold

security notes...
131
Note # Title Priority

Correction
Store Manager crashes after entering with
2529966
credentials. medium
priority
7th of September2017
All SAP notes 132
• 2476601 – first patch

• 252520064 – patch for the first patch
• 2529966 – patch for the patch that patched first patch
• 2528596 – backdoor user problem
Conclusion 133
• POS is not only POS terminals and pin pads

• Communication between POS workstations and POS server
is insecure
• Little bugs bring big troubles for stores and to customers
Conclusion 134
1. Include SAP systems in scope of your existing services

• GDPR audit
• ISMS implementation for SAP systems in scope
• Threat detection and SAP – SIEM integration
2. Prove your selling proposition is unique with ROI of SAP security
3. Create a 360-degree image of an SAP security provider

How We Can Help? 135
SAP Security Audit: ERPScan Monitoring Suite:

• security assessment of network, OS, • SAP vulnerability assessment
DBMS related to SAP • Source Code scanning
• SAP vulnerability assessment; • Segregation of Duties
• security configuration checks assessment
• critical access control checks
• custom code security review
• segregation of duties analysis
SAP Security Consulting: SAP Penetration Testing:

• Implementation of SAP Vulnerability • simulate external and internal attacks
Management process • provide a list of vulnerabilities
• SAP security plans, architecture and • escalate privileges and show you how
project documents expertise much data can leak
• SAP risk assessment • try to reach connected systems
• estimate overall harm to business
operations
Thank you
13
6
Dmitry Chastuhin USA:

Lead SAP Security Analyst 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
d.chastuhin@erpscan.com Phone 650.798.5255
Read our blog

erpscan.com/category/press-center/blog/
EU:
Join our webinars Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
erpscan.com/category/press-center/events/ Phone +31 20 8932892
Subscribe to our newsletters

erpscan.com
eepurl.com/bef7h1
inbox@erpscan.com

SAP POS A Good Way To Hack Retail 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP POS A Good Way To Hack Retail 1

Uploaded by

Copyright:

Available Formats

GET OF THE MONEY:

Hacking POS and POP SYSTEMS

Yet another security

Know 3 Spanish words:

James Jacob Ritty The first cash Register

The previous work

Chip contains magstripe

 Insert a device between

Nils and Jon Butler

Why did we choose POS

Consumers POS Hardware POS Software POS Backend

Consumers POS Hardware POS Software POS Backend

Consumers POS Hardware POS Software POS Backend

Consumers POS Hardware POS Software POS Backend

How did we choose POS system?

SAP Point of Sale

Old name: Triversity Transactionware GM (2005)

Platform: Windows 32-bit and 64-bit

Actual version: SAP POS 2.3 SP 11 build 1171

POS Client Store Server Head Office

Xpress POS Store

SAP POS: Going Deeper

POS Clients Store Server Head Office

POS Clients Store Server Head Office

POS Clients Store Server Head Office

Go from the back.

Xpress POS Store

…\Xpress Server\ dnload FRENCH

Monitoring is not always good

999 *** XPRESS SERVER MOST COMMON COMMAND HELP ***

999 UPDATE-CASHIER [Cashier#]

Update Database rows

FILE-OPEN [file-path] [mode]

FILE-READ [file_id] [buff_size]

POS Clients Store Server

{ Type Len } Where? , What? , End ;

Attacker Xpress Server

Attacker Xpress Server

Attacker Xpress Server

Attacker Xpress Server

Attacker Xpress Server

Attacker Xpress Server

Attacker Xpress Server

Attacker Xpress Server

Attacker Xpress Server

How to buy MacBook for $3

Step by step we`ll get success

can help us make a trick

1 Evil Configuration files

1 Evil Configuration files

1 Evil Configuration files

3 Apply new settings

1 Evil Configuration files

3 Apply new settings

1 Evil Configuration files

3 Apply new settings

1 Evil Configuration files 6 Close Terminal

3 Apply new settings

1 Evil Configuration files 6 Close Terminal

1 Evil Configuration files 6 Close Terminal

1 Evil Configuration files 6 Close Terminal

1 Evil Configuration files 6 Close Terminal

Any additional features?

999 * XPRESS SERVER MOST COMMON COMMAND HELP *